In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.
Mr. Shefel, who recently changed his legal surname to Lenin, was the star of last year’s story, Ten Years Later, New Clues in the Target Breach. That investigation detailed how the 38-year-old Shefel adopted the nickname Rescator while working as vice president of payments at ChronoPay, a Russian financial company that paid spammers to advertise fake antivirus scams, male enhancement drugs and knockoff pharmaceuticals.
Mr. Shefel did not respond to requests for comment in advance of that December 2023 profile. Nor did he respond to reporting here in January 2024 that he ran an IT company with a 34-year-old Russian man named Aleksandr Ermakov, who was sanctioned by authorities in Australia, the U.K. and U.S. for stealing data on nearly 10 million customers of the Australian health insurance giant Medibank.
But not long after KrebsOnSecurity reported in April that Shefel/Rescator also was behind the theft of Social Security and tax information from a majority of South Carolina residents in 2012, Mr. Shefel began contacting this author with the pretense of setting the record straight on his alleged criminal hacking activities.
In a series of live video chats and text messages, Mr. Shefel confirmed he indeed went by the Rescator identity for several years, and that he did operate a slew of websites between 2013 and 2015 that sold payment card data stolen from Target, Home Depot and a number of other nationwide retail chains.
Shefel claims the true mastermind behind the Target and other retail breaches was Dmitri Golubov, an infamous Ukrainian hacker known as the co-founder of Carderplanet, among the earliest Russian-language cybercrime forums focused on payment card fraud. Mr. Golubov could not be reached for comment, and Shefel says he no longer has the laptop containing evidence to support that claim.
Shefel asserts he and his team were responsible for developing the card-stealing malware that Golubov’s hackers installed on Target and Home Depot payment terminals, and that at the time he was technical director of a long-running Russian cybercrime community called Lampeduza.
“My nickname was MikeMike, and I worked with Dmitri Golubov and made technologies for him,” Shefel said. “I’m also godfather of his second son.”
A week after breaking the story about the 2013 data breach at Target, KrebsOnSecurity published Who’s Selling Cards from Target?, which identified a Ukrainian man who went by the nickname Helkern as Rescator’s original identity. But Shefel claims Helkern was subordinate to Golubov, and that he was responsible for introducing the two men more than a decade ago.
“Helkern was my friend, I [set up a] meeting with Golubov and him in 2013,” Shefel said. “That was in Odessa, Ukraine. I was often in that city, and [it’s where] I met my second wife.”
Shefel claims he made several hundred thousand dollars selling cards stolen by Golubov’s Ukraine-based hacking crew, but that not long after Russia annexed Crimea in 2014 Golubov cut him out of the business and replaced Shefel’s malware coding team with programmers in Ukraine.
Golubov was arrested in Ukraine in 2005 as part of a joint investigation with multiple U.S. federal law enforcement agencies, but his political connections in the country ensured his case went nowhere. Golubov later earned immunity from prosecution by becoming an elected politician and founding the Internet Party of Ukraine, which called for free internet for all, the creation of country-wide “hacker schools” and the “computerization of the entire economy.”
Mr. Shefel says he stopped selling stolen payment cards after being pushed out of the business, and invested his earnings in a now-defunct Russian search engine called tf[.]org. He also apparently ran a business called click2dad[.]net that paid people to click on ads for Russian government employment opportunities.
When those enterprises fizzled out, Shefel reverted to selling malware coding services for hire under the nickname “Getsend“; this claim checks out, as Getsend for many years advertised the same Telegram handle that Shefel used in our recent chats and video calls.
Shefel acknowledged that his outreach was motivated by a desire to publicize several new business ventures. None of those will be mentioned here because Shefel is already using my December 2023 profile of him to advertise what appears to be a pyramid scheme, and to remind others within the Russian hacker community of his skills and accomplishments.
Shefel says he is now flat broke, and that he currently has little to show for a storied hacking career. The Moscow native said he recently heard from his ex-wife, who had read last year’s story about him and was suddenly wondering where he’d hidden all of his earnings.
More urgently, Shefel needs money to stay out of prison. In February, he and Ermakov were arrested on charges of operating a short-lived ransomware affiliate program in 2021 called Sugar (a.k.a. Sugar Locker), which targeted single computers and end-users instead of corporations. Shefel is due to face those charges in a Moscow court on Friday, Nov. 15, 2024. Ermakov was recently found guilty and given two years probation.
Shefel claims his Sugar ransomware affiliate program was a bust, and never generated any profits. Russia is known for not prosecuting criminal hackers within its borders who scrupulously avoid attacking Russian businesses and consumers. When asked why he now faces prosecution over Sugar, Shefel said he’s certain the investigation was instigated by Pyotr “Peter” Vrublevsky — the son of his former boss at ChronoPay.
ChronoPay founder and CEO Pavel Vrublevsky was the key subject of my 2014 book Spam Nation, which described his role as head of one of Russia’s most notorious criminal spam operations.
Vrublevsky Sr. recently declared bankruptcy, and is currently in prison on fraud charges. Russian authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes. They also accused Vrublevsky of facilitating money laundering for Hydra, the largest Russian darknet market at the time. Hydra trafficked in illegal drugs and financial services, including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services.
However, in 2022 KrebsOnSecurity reported on a more likely reason for Vrublevsky’s latest criminal charges: He’d been extensively documenting the nicknames, real names and criminal exploits of Russian hackers who worked with the protection of corrupt officials in the Russian Federal Security Service (FSB), and operating a Telegram channel that threatened to expose alleged nefarious dealings by Russian financial executives.
Shefel believes Vrublevsky’s son Peter paid corrupt cops to levy criminal charges against him after reporting the youth to Moscow police, allegedly for walking around in public with a loaded firearm. Shefel says the Russian authorities told the younger Vrublevsky that he had lodged the firearms complaint.
In July 2024, the Russian news outlet Izvestia published a lengthy investigation into Peter Vrublevsky, alleging that the younger son took up his father’s mantle and was responsible for advertising Sprut, a Russian-language narcotics bazaar that sprang to life after the Hydra darknet market was shut down by international law enforcement agencies in 2022.
Izvestia reports that Peter Vrublevsky is currently living in Switzerland, where he reportedly fled in 2022 after being “arrested in absentia” in Russia on charges of running a violent group that could be hired via Telegram to conduct a range of physical attacks in real life, including firebombings and muggings.
Shefel claims his former partner Golubov was involved in the development and dissemination of early ransomware strains, including Cryptolocker, and that Golubov remains active in the cybercrime community.
Meanwhile, Mr. Shefel portrays himself as someone who is barely scraping by with the few odd coding jobs that come his way each month. Incredibly, the day after our initial interview via Telegram, Shefel proposed going into business together.
By way of example, he suggested maybe a company centered around recovering lost passwords for cryptocurrency accounts, or perhaps a series of online retail stores that sold cheap Chinese goods at a steep markup in the United States.
“Hi, how are you?” he inquired. “Maybe we can open business?”
I guess you lose all the shots you don’t take.
I just don’t know how he’s not able to get a more legitimate job.
Seems like a nice guy. Certainly more honest and upright than any filthy yank.
He was remarkably forthright. I’m sure he didn’t tell me the whole truth all the time, but most of what he did share tracks.
I feel like he’s working with FSB to feed bad information to the americans to redirect responsibility to an entity we support (ukraine).
I wonder, is it a cultural difference? Or do these people believe that you are some sort of criminal yourself? Or do they think you are daft? The only other possibility I can think of is a strong belief that “asking never hurts”.
Otherwise, a sane person in your position would never agree to go into business with a broke criminal. It is quite mind-boggling to think so.
I was similarly baffled and taken by surprise. He seems like a very resourceful and clever guy who has zero business sense and spotty follow-through. People like that tend to be dreamers by nature, but he’s also an incredibly intense guy. He sent me like 10 selfies in real time, and in almost every one he looked at the camera like he wanted to crush it with his eyes. I’m not sure what’s going on upstairs with him, but he did mention some psychological attacks he believed the FSB was perpetrating against him that had clouded his mind on certain things. I stopped asking about that after he suggested they had poisoned his air with some kind of mind agent.
Sounds nutty, but would you really put it past them? Reminds me of a time when you would be thought of as nutty to say a government was tracking you. Not so much anymore.
Yeah sounds nutty but seems plausible. A gas or vapor with an entheogenic, entactogenic, or other similar property combined with some kind of subliminal programming via auditory and/or visual channels doesn’t seem that far fetched. Whether this person would be a target of that or not is the question. Teams followed Navalny everywhere. Surely some of the old hackers are expendable at this point.
I suspect this is a classic case of undiagnosed neurodivergence, that is quite common amongst young and enterprising hackers, who for many reasons, be it cultural, financial or other, lack the social skills or support networks to direct their talents into more wholesome directions. The digital world attracts many unscrupulous figures and without the ability to recognise dark social traits, these individuals easily become victims to exploitation of their skill set, all for a sense of worth that they cannot achieve in their offline world. This is not to forgive him for his actions but may at least give an understanding for his behaviour. Once you have entered the dark side it is usually very hard to return.
wait what.. so nobody should send Krebs n pics for free security awareness training?!!
my meema said this was a trust worthy, aol learning site.
Love your content Krebs, I am on an iPhone 14 max, and sometimes the story does a really weird wrap on the left side of an image, making it difficult to read. Just wanted to point that out!
Thanks for the feedback, Matt. Does it still look that way in landscape mode, or only when looking at it vertically?
Landscape is more readable, in portrait it’s only 7 characters wide leading to some strange wrapping.
Same wrap on images on my iPhone XR.
I suspect there are some folks at CIS who would be happy to help Mr Shefel/Lenin deal with those Russian charges.
I don’t know how you can stand dealing with such garbage people. All of the criminals in this story are disgusting people.
You think he’s having some sort of mental crisis? He might be losing it a little. Homeboy go talk to a therapist and think about your life.
Not the point obviously, but his trigger discipline is appalling.
Came here to say the exact same thing.
I know this guy, he was in a mental hospital, so you may not believe almost everything he says..
So, I wonder if Dmitri Golubov is still involved in Ukrainian politics and government corruption.